standby on active/active failover

Unanswered Question
Mar 2nd, 2010

Hi

I was reading this documentation

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml


for doing active/active failover using pix 8.0. But I have the impresion that the concept of stanby used on pix firewall is not the same as this used on cisco router.


i think that the command


ip address active_addr netmask standby standby_addr

does not means that standby_addr will be use as the gateway for a network but the ip address of the stanby unit.

If i do this on the failover interface I dont see the point of doing if for every interface or subinterface the contexts  have?

Can someone explained that clearly?

thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
roussillon Tue, 03/02/2010 - 12:42

Hi

Other fact if the context in active failover-group provides the configuration for the corresponding context in standby failover-group I do not see the reason of creating stanby ip address for each interface exept for those used as  failover interfaces.

please correcxt me if i am wrong!!

thanks

Jon Marshall Tue, 03/02/2010 - 12:44

roussillon wrote:

Hi

I was reading this documentation

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml


for doing active/active failover using pix 8.0. But I have the impresion that the concept of stanby used on pix firewall is not the same as this used on cisco router.


i think that the command


ip address active_addr netmask standby standby_addr

does not means that standby_addr will be use as the gateway for a network but the ip address of the stanby unit.

If i do this on the failover interface I dont see the point of doing if for every interface or subinterface the contexts  have?

Can someone explained that clearly?

thanks

You are correct in that the standby address is never used as the gateway for the clients. It is used for 2 reasons -

1) so you can connect to the standby firewall

2) so the firewalls can monitor each others state on those interfaces

You don't need to configure every interface with a standby address if you don't want to and sometimes you don't if you are using public IP addressing on the interfaces. If you are using private addressing i can't see any reason why you wouldn't use a standby address to be honest.

Jon

roussillon Tue, 03/02/2010 - 13:53

Thanks

I have read again the cisco documentation

and standby ip for each interface or subinterface(in case of vlans) is used for failover in context level

cited by cisco documentation

Failover is triggered at the failover group  level when one of these       events occurs:

  • Too many monitored interfaces in the group fail.

  • The no failover active group group_id or           failover active group group_id command is           entered.

Of cause we have to monitor those interfaces.

Thanks again.

Actions

This Discussion